Merge branch 'master' into topic/jsiwek/supervisor

2025-10-04 23:58:20 +00:00 · 2020-01-07 14:55:51 -08:00 · 2020-01-07 14:55:51 -08:00 · 6046da9993
commit 6046da9993
parent 22431dbecb 0c55b01ec9
314 changed files with 3709 additions and 5389 deletions
--- a/scripts/base/frameworks/logging/main.zeek
+++ b/scripts/base/frameworks/logging/main.zeek
@ -12,7 +12,9 @@ export {
 	## file.
 	type Log::ID: enum {
 		## Dummy place-holder.
-		UNKNOWN
+		UNKNOWN,
+		## Print statements that have been redirected to a log stream.
+		PRINTLOG
 	};

 	## If true, local logging is by default enabled for all filters.
@ -75,6 +77,36 @@ export {
 	## Returns: The path to be used for the filter.
 	global default_path_func: function(id: ID, path: string, rec: any) : string &redef;

+	## If :zeek:see:`Log::print_to_log` is set to redirect, ``print`` statements will
+	## automatically populate log entries with the fields contained in this record.
+	type PrintLogInfo: record {
+		## Current timestamp.
+		ts:                  time              &log;
+		## Set of strings passed to the print statement.
+		vals:                string_vec        &log;
+	};
+
+	## Configurations for :zeek:see:`Log::print_to_log`
+	type PrintLogType: enum {
+		## No redirection of ``print`` statements.
+		REDIRECT_NONE,
+		## Redirection of those ``print`` statements that were being logged to stdout,
+		## leaving behind those set to go to other specific files.
+		REDIRECT_STDOUT,
+		## Redirection of all ``print`` statements.
+		REDIRECT_ALL
+	};
+
+	## Event for accessing logged print records.
+	global log_print: event(rec: PrintLogInfo);
+
+	## Set configuration for ``print`` statements redirected to logs.
+	const print_to_log: PrintLogType = REDIRECT_NONE &redef;
+
+	## If :zeek:see:`Log::print_to_log` is enabled to write to a print log,
+	## this is the path to which the print Log Stream writes to
+	const print_log_path = "print" &redef;
+
 	# Log rotation support.

 	## Information passed into rotation callback functions.
@ -643,3 +675,9 @@ function remove_default_filter(id: ID) : bool
 	{
 	return remove_filter(id, "default");
 	}
+
+event zeek_init() &priority=5
+	{
+	if ( print_to_log != REDIRECT_NONE )
+		Log::create_stream(PRINTLOG, [$columns=PrintLogInfo, $ev=log_print, $path=print_log_path]);
+	}
--- a/scripts/base/frameworks/tunnels/main.zeek
+++ b/scripts/base/frameworks/tunnels/main.zeek
@ -144,7 +144,7 @@ event tunnel_changed(c: connection, e: EncapsulatingConnVector) &priority=5
 	register_all(e);
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	if ( c$id in active )
 		close(active[c$id], CLOSE);
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -120,6 +120,22 @@ type mime_match: record {
 ## :zeek:see:`file_magic`
 type mime_matches: vector of mime_match;

+## Properties of an I/O packet source being read by Zeek.
+type PacketSource: record {
+	## Whether the packet source is a live interface or offline pcap file.
+	live: bool;
+	## The interface name for a live interface or filesystem path of
+	## an offline pcap file.
+	path: string;
+	## The data link-layer type of the packet source.
+	link_type: int;
+	## The netmask assoicated with the source or ``NETMASK_UNKNOWN``.
+	netmask: count;
+};
+
+## A list of packet sources being read by Zeek.
+type PacketSourceList: vector of PacketSource;
+
 ## A connection's transport-layer protocol. Note that Zeek uses the term
 ## "connection" broadly, using flow semantics for ICMP and UDP.
 type transport_proto: enum {
@ -419,6 +435,11 @@ type connection: record {

 	## The inner VLAN, if applicable for this connection.
 	inner_vlan: int &optional;
+
+        ## Flag that will be true if :zeek:see:`connection_successful` has
+        ## already been generated for the connection. See the documentation of
+        ## that event for a definition of what makes a connection "succesful".
+	successful: bool;
 };

 ## Default amount of time a file can be inactive before the file analysis
@ -2581,7 +2602,7 @@ export {
 		negotiate_lm_key       : bool;
 		## If set, requests connectionless authentication
 		negotiate_datagram     : bool;
-		## If set, requests session key negotiation for message 
+		## If set, requests session key negotiation for message
 		## confidentiality
 		negotiate_seal         : bool;
 		## If set, requests session key negotiation for message
@ -2769,7 +2790,7 @@ export {
 		## The server supports compressed data transfer. Requires bulk_transfer.
 		## Note: No known implementations support this
 		compressed_data	   : bool;
-		## The server supports extended security exchanges	
+		## The server supports extended security exchanges
 		extended_security  : bool;
 	};

@ -2862,7 +2883,7 @@ export {
 	};

 	type SMB1::NegotiateResponse: record {
-		## If the server does not understand any of the dialect strings, or if 
+		## If the server does not understand any of the dialect strings, or if
 		## PC NETWORK PROGRAM 1.0 is the chosen dialect.
 		core	: SMB1::NegotiateResponseCore 	&optional;
 		## If the chosen dialect is greater than core up to and including
@ -2913,7 +2934,7 @@ export {
 		## If challenge/response auth is not being used, this is the password.
 		## Otherwise, it's the response to the server's challenge.
 		## Note: Only set for pre NT LM 0.12
-		account_password	  : string &optional;		
+		account_password	  : string &optional;
 		## Client's primary domain, if known
 		## Note: not set for NT LM 0.12 with extended security
 		primary_domain		  : string &optional;
@ -2931,7 +2952,7 @@ export {
 		## Note: only set for NT LM 0.12
 		capabilities		  : SMB1::SessionSetupAndXCapabilities &optional;
 	};
-	
+
 	type SMB1::SessionSetupAndXResponse: record {
 		## Count of parameter words (should be 3 for pre NT LM 0.12 and 4 for NT LM 0.12)
 		word_count	: count;
@ -3996,7 +4017,7 @@ type bt_tracker_headers: table[string] of string;
 ## for a range of modbus coils.
 type ModbusCoils: vector of bool;

-## A vector of count values that represent 16bit modbus 
+## A vector of count values that represent 16bit modbus
 ## register values.
 type ModbusRegisters: vector of count;

--- a/scripts/base/protocols/conn/main.zeek
+++ b/scripts/base/protocols/conn/main.zeek
@ -300,6 +300,11 @@ event connection_state_remove(c: connection) &priority=5

 event connection_state_remove(c: connection) &priority=-5
 	{
-	Log::write(Conn::LOG, c$conn);
+	if ( ! c$successful )
+		Log::write(Conn::LOG, c$conn);
 	}

+event successful_connection_remove(c: connection) &priority=-5
+	{
+	Log::write(Conn::LOG, c$conn);
+	}
--- a/scripts/base/protocols/dce-rpc/main.zeek
+++ b/scripts/base/protocols/dce-rpc/main.zeek
@ -209,7 +209,7 @@ event dce_rpc_response(c: connection, fid: count, ctx_id: count, opnum: count, s
 		}
 	}

-event connection_state_remove(c: connection)
+event successful_connection_remove(c: connection)
 	{
 	if ( ! c?$dce_rpc )
 		return;
--- a/scripts/base/protocols/dnp3/main.zeek
+++ b/scripts/base/protocols/dnp3/main.zeek
@ -63,7 +63,7 @@ event dnp3_application_response_header(c: connection, is_orig: bool, application
 	delete c$dnp3;
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	if ( ! c?$dnp3 )
 		return;
--- a/scripts/base/protocols/dns/main.zeek
+++ b/scripts/base/protocols/dns/main.zeek
@ -571,7 +571,7 @@ event dns_rejected(c: connection, msg: dns_msg, query: string, qtype: count, qcl
 		c$dns$rejected = T;
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	if ( ! c?$dns_state )
 		return;
--- a/scripts/base/protocols/ftp/main.zeek
+++ b/scripts/base/protocols/ftp/main.zeek
@ -322,7 +322,7 @@ event connection_reused(c: connection) &priority=5
 		c$ftp_data_reuse = T;
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	if ( c$ftp_data_reuse ) return;
 	if ( [c$id$resp_h, c$id$resp_p] in ftp_data_expected )
@ -334,8 +334,8 @@ event connection_state_remove(c: connection) &priority=-5
 		}
 	}

-# Use state remove event to cover connections terminated by RST.
-event connection_state_remove(c: connection) &priority=-5
+# Use remove event to cover connections terminated by RST.
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	if ( ! c?$ftp ) return;

--- a/scripts/base/protocols/http/main.zeek
+++ b/scripts/base/protocols/http/main.zeek
@ -321,7 +321,7 @@ event http_message_done(c: connection, is_orig: bool, stat: http_message_stat) &
 		}
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	# Flush all pending but incomplete request/response pairs.
 	if ( c?$http_state )
--- a/scripts/base/protocols/irc/dcc-send.zeek
+++ b/scripts/base/protocols/irc/dcc-send.zeek
@ -124,7 +124,7 @@ event scheduled_analyzer_applied(c: connection, a: Analyzer::Tag) &priority=10
 		add c$service["irc-dcc-data"];
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	if ( [c$id$resp_h, c$id$resp_p] in dcc_expected_transfers )
 		{
--- a/scripts/base/protocols/krb/files.zeek
+++ b/scripts/base/protocols/krb/files.zeek
@ -118,7 +118,7 @@ event krb_tgs_response(c: connection, msg: KDC_Response)
 	fill_in_subjects(c);
 	}

-event connection_state_remove(c: connection)
+event successful_connection_remove(c: connection)
 	{
 	fill_in_subjects(c);
 	}
--- a/scripts/base/protocols/krb/main.zeek
+++ b/scripts/base/protocols/krb/main.zeek
@ -228,7 +228,7 @@ event krb_tgs_response(c: connection, msg: KDC_Response) &priority=-5
 	do_log(c);
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	do_log(c);
 	}
--- a/scripts/base/protocols/mysql/main.zeek
+++ b/scripts/base/protocols/mysql/main.zeek
@ -122,7 +122,7 @@ event mysql_ok(c: connection, affected_rows: count) &priority=-5
 		}
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	if ( c?$mysql )
 		{
--- a/scripts/base/protocols/ntlm/main.zeek
+++ b/scripts/base/protocols/ntlm/main.zeek
@ -106,7 +106,7 @@ event gssapi_neg_result(c: connection, state: count) &priority=-3
 		}
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	if ( c?$ntlm && ! c$ntlm$done )
 		{
--- a/scripts/base/protocols/radius/main.zeek
+++ b/scripts/base/protocols/radius/main.zeek
@ -138,7 +138,7 @@ event radius_message(c: connection, result: RADIUS::Message) &priority=-5
 		}
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	if ( c?$radius && ! c$radius$logged )
 		{
--- a/scripts/base/protocols/rdp/main.zeek
+++ b/scripts/base/protocols/rdp/main.zeek
@ -272,7 +272,7 @@ event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason
 		write_log(c);
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	# If the connection is removed, then log the record immediately.
 	if ( c?$rdp )
--- a/scripts/base/protocols/rfb/main.zeek
+++ b/scripts/base/protocols/rfb/main.zeek
@ -151,7 +151,7 @@ event rfb_share_flag(c: connection, flag: bool) &priority=5
 	c$rfb$share_flag = flag;
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	if ( c?$rfb )
 		{
--- a/scripts/base/protocols/sip/main.zeek
+++ b/scripts/base/protocols/sip/main.zeek
@ -289,7 +289,7 @@ event sip_end_entity(c: connection, is_request: bool) &priority = -5
 		}
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	if ( c?$sip_state )
 		{
--- a/scripts/base/protocols/smtp/main.zeek
+++ b/scripts/base/protocols/smtp/main.zeek
@ -298,7 +298,7 @@ event mime_one_header(c: connection, h: mime_header_rec) &priority=3
 		c$smtp$path += ip;
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	if ( c?$smtp )
 		smtp_message(c);
--- a/scripts/base/protocols/snmp/main.zeek
+++ b/scripts/base/protocols/snmp/main.zeek
@ -93,7 +93,7 @@ function init_state(c: connection, h: SNMP::Header): Info
 	}


-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	if ( c?$snmp )
 		Log::write(LOG, c$snmp);
--- a/scripts/base/protocols/socks/main.zeek
+++ b/scripts/base/protocols/socks/main.zeek
@ -111,7 +111,7 @@ event socks_login_userpass_reply(c: connection, code: count) &priority=5
 	c$socks$status = v5_status[code];
 	}

-event connection_state_remove(c: connection)
+event successful_connection_remove(c: connection)
 	{
 	# This will handle the case where the analyzer failed in some way and was
 	# removed.  We probably  don't want to log these connections.
--- a/scripts/base/protocols/ssh/main.zeek
+++ b/scripts/base/protocols/ssh/main.zeek
@ -247,7 +247,7 @@ event ssh_capabilities(c: connection, cookie: string, capabilities: Capabilities
 	                                 server_caps$server_host_key_algorithms);
 	}

-event connection_state_remove(c: connection)
+event successful_connection_remove(c: connection)
 	{
 	if ( c?$ssh && !c$ssh$logged )
 		{
--- a/scripts/base/protocols/ssl/main.zeek
+++ b/scripts/base/protocols/ssl/main.zeek
@ -329,13 +329,13 @@ event ssl_established(c: connection) &priority=-5
 	finish(c, T);
 	}

-event connection_state_remove(c: connection) &priority=20
+event successful_connection_remove(c: connection) &priority=20
 	{
 	if ( c?$ssl && ! c$ssl$logged )
 		hook ssl_finishing(c);
 	}

-event connection_state_remove(c: connection) &priority=-5
+event successful_connection_remove(c: connection) &priority=-5
 	{
 	if ( c?$ssl )
 		# called in case a SSL connection that has not been established terminates